Cyber war Scenario: What are the
Defenses?
Rajabahadur V. Arcot RR Concepts
Independent Industry Analyst/Columnist and Manufacturing IT Consultant
Disclaimers
• I am an Industrial Control System Professional
• Stuxnet Episode and Aurora Experiment Spurred me to take interest in ICS Cyber Security Issues and Cyber War Scenario and Possible Defenses
“Cyber war, cyber terrorism, and cyber espionage are
topics of increasing timeliness, and our nation and its citizens will be ill prepared to deal with these threats if
those topics never get any discussion….” so said Joe Sauver, Ph.D. at IT Security Conference, USA
Overview
• Structured to create awareness
• To spur all stakeholders (interested in providing defenses against cyber attack) to take serious note of the threats and contribute to finding solutions
Cyber War Threat is Real
• Cyber weapons are powerful
• They can be launched simultaneously from different locations and on multiple targets
• They are the least-cost weapons-option and capable of very precisely putting out of service – Essential critical infrastructure industries and
services
– Conventional offensive and defensive capabilities
– Cause panic and confusion
World is Getting Ready
Critical Infrastructure Industries
• Power utilities
• Water utilities
• Communication
• Oil and Gas installations
• Chemical and Pharmaceutical industries
• Transportation
• Offensive and defensive capabilities
• Others
Operated by Control Systems – PLC, DCS,
SCADA - built on IT open platforms
BYOD Connected
Connected to Internet
Networked
Innumerable embedded systems Innumerable end
points
GPS controlled
Control Systems Connectivity
Typical Critical Infrastructure Control System Architecture
Seeking Defense From Cyber Attack
Quotation from CERN (European Council for Nuclear Research) Presentation
"Incorporate cyber risks into existing risk management and governance processes. Cyber Security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the enterprise.”
US Department of Homeland Security’s advice to CEOs
Overview
General • Recognize ICS cyber security challenges are different from ensuring data security
• Protecting the enterprise begins with implementing straight forward proper work related systems, such as installing
• Passwords, Media Access Control, Software Updates, Virus Scanners, Firewalls, “Data Diode” systems, and such others
• Eternal vigilance and the readiness and ability of the enterprise to identify, recover, and nullify the effects of the cyber-attack are key to achieve fair degree of protection
• Ability and preparedness to initiate counter measures to recover quickly from the attack are critical
Seeking Defense From Cyber Attack
Critical Infrastructure Industries
• CII to gain awareness and instill awareness among the workforce
• Create an in-house industrial control-system cyber security team
• Team to consist of experts in automation & process technologies in addition to experts in information and communication technologies
• Team to carry out carry out security audit, vulnerability assessment, and penetration testing, and evolve specific policies & procedures and crisis management program
Seeking Defense From Cyber Attack
Critical Infrastructure Industries
• The team may seek the support of technology solution providers and competent system integrators / consultants having the appropriate skills in industrial control-system cyber security
• Companies, planning to install new control systems, must seek readiness of their potential suppliers to provide safeguards and their plans to ensure adherence to cyber security standards
• Build competence in system engineering of ICS and ensure defense through system engineering
• Train operators and operating workforce to track anomalous performances
Seeking Defense From Cyber Attack
• Build backup infrastructure
• Build cyber workforce
• Put in place a mechanism to prevent
panic and confusion
Seeking Defense From Cyber Attack
Policy Makers
Seeking Defense From Cyber Attack
Policy Makers
• Take secrecy veil off electronic warfare
• Universities, industries and institutes to
plug the gap in knowledge in the sector
Control System Suppliers / IT Technology Suppliers • Until now, automation systems are designed typically to meet the operational
including functional safety and business needs
• Before Stuxnet, securing the control systems from cyber-threats was not part of the requirement criteria and as such was not on the radar screen of automation companies and standards’ committees
• However, the growing recognition that cyber threats are real calls for ensuring secure functioning of the control systems even in the event of cyber-attacks. ICS suppliers must recognize that cyber Security is integral to functional safety
• Automation companies may have to go back to their drawing boards to design automation systems that include security as one of the manufacturing industries’ fundamental requirements
• Automation suppliers must offer control systems that have strong security features to ensure protection from cyber-attacks and ensure compliance to ISA 99 and other standards
Providing Defense From Cyber Attack
• Build competence to carry out security audit, vulnerability assessment, and penetration testing
• Industry must come together to develop standards to govern embedded system and product design – Trusted Computing
• In all future product development, security should take equal if not precedence over functionality and features
• Let us not repeat the Y2K story!
Providing Defense From Cyber Attack
IT Service Providers
Thanks